Ransomware Takes a Dangerous New Turn

I think everyone can agree that ransomware is dangerous enough as it is. It has taken down numerous companies, hospitals, cities, and government agencies. It has also brought down important segments of infrastructure as evidenced in the Colonial Pipeline attack. So, how can it get any worse? To find the answer to this question, it’s necessary to give a little background.

The Darkside ransomware group disappeared after they got their ransom from the Colonial Pipeline attack, and the REvil group disappeared on July 13th after its successful attack on Kaseya. But as I noted in my last post, these groups often disappear only to reappear under a new name. Members often shift between groups while working full time day jobs for Russian intelligence agencies. The Russian government, therefore, has some power to control these groups and possibly did after the Colonial Pipeline attack. There is an unwritten agreement between countries that the infrastructure is off limits, otherwise, a series of retaliatory infrastructure attacks could cause devastating worldwide effects.

It appears that members of either DarkSide, REvil, or both have emerged as a new ransomware group calling itself, BlackMatter. “The project has incorporated in itself the best features of DarkSide, REvil, and LockBit”, the group announced. I’m nor sure what the “best features” of a ransomware group are, but they are only considered positive attributes if you are a member of the group and are planning on making a lot of money by causing problems.

Ransomware groups are no longer allowed to advertise for associates on major Russian hacking forum websites, but this didn’t seem to present a problem for BlackMatter. This is because they advertise that they are looking for “initial access brokers”. They mention nothing about ransomware-as-a-service (RaaS) so they avoided being banned. So what’s an initial access broker? This is generally considered to refer to people who have hacked their way into a network but don’t really want to exploit this access for themselves. BlackMatter offers them the opportunity to profit from the access they have gained. Depending on the size of the enterprise they have accessed, BlackMatter will pay these initial access brokers as much as $100,000 to use their access point. As an alternative, they can opt for a percentage of the profits made on the subsequent attack.

But BlackMatter is not interested in just any enterprise. They are looking for businesses that have annual revenues of over $100 million. They also want networks that have between 500 to 15,000 hosts. By hosts, I assume they mean devices that are connected to the network. The more devices connected, the more trouble they can cause and the higher the ransom they can ask for.

BlackMatter, like REvil and DarkSide, put limits on the type of targets they will attack. These are shown in the chart from their website shown below.

Note that they will not attack infrastructure and any components of the oil and gas industry. This seems to indicate ties to DarkSide which got in over its head in the Colonial Pipeline attack. They are also only interested in enterprises in the US, the UK, Canada, or Australia.

So, if your company is a private company which meets the criteria above, you have just had a target put on your back. Hackers and pentesters looking to make a little extra money will be looking for you. But I think there could be an even more dangerous situation that could develop.

A Disturbing Possibility

For the time being, BlackMatter is ‘advertising’ on Russian hacking forums and encrypted messaging platforms such as Telegram and Jabber. They should keep in mind that Jabber was already compromised by U.S. law enforcement as was evidenced in the Assange-Manning conversations that were released. In any event, those using any of these platforms are probably individuals who are already versed in hacking or are already members of other hacking groups. They understand hacking operations and know how to use cryptocurrencies and how to stay well-hidden.

The danger, as I see it, would occur if knowledge of BlackMatter’s recruitment proposition crosses over to mainstream platforms. If the word gets out that this group will pay good money for initial access points in large networks, then any employee with access to such a corporate network could be tempted. Disgruntled employees or employees having financial problems may see this angle as a relatively safe way to get revenge or extra cash. Those employees with administrative access would be most valuable and likely better able to make the most money. IT employees, who may understand more about the world of hacking and who often have more administrative privileges than most employees, would also tend to be more tempted.

BlackMatter would need to be cautious in reaching any agreement with someone who was naïve about the world of hacking as their actions may compromise the whole group. My guess is that they would have to take some time training such people in how to remain under the radar and use cryptocurrency. It’s a risk, and BlackMatter would have to decide on a case by case basis if it is a risk worth taking. However, the door is apparently open and more companies are now in jeopardy.

So what can companies do? First of all, make sure good endpoint protection is in place. Limit the number of people who have administrative rights. Keep a close watch on problem employees or employees who may be having financial troubles, especially if these employees work for IT.

Insiders are always a threat, but most companies don’t realize that insiders may not work directly for their company. They may work for companies in the supply chain.

The latest statistics on insider threats from Ponemon indicate that the situation continues to worsen. I’ve modified the graph to show the average cost of mitigating each type of insider misbehavior.

Employee or contractor negligence is easiest to mitigate through good endpoint protection. The malicious insiders are those that may seek out ransomware gangs to work with. This is the area I would expect to increase the most if BlackMatter’s offer becomes widely known. Credential theft occurs when hackers use various techniques to get the network login credentials of a privileged user. The last two categories are the most difficult for a company to detect and may go undiscovered until it is too late. Only detailed monitoring of network logs can detect unusual behavior.

It may be that ransomware groups will be too wary to work with company insiders. They may be suspicious of being contacted by people they don’t know. It may also take too much time to verify their credentials. On the other hand, these malicious insiders may be simply too valuable to ignore. Only time will tell which of these scenarios will prevail.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s